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Abstract 

This  paper  examines  the  vulnerability  of  wireless  systems  to  interception,  and  provides 
some  simple  steps  that  can  be  taken  to  improve  security.  A  commercially  available 
computational  electromagnetics  software  package  was  used  to  predict  signal  levels  in 
complex  indoor  and  urban  environments.  The  simulation  results  can  be  used  to 
determine  the  detection  range  of  the  network.  Two  basic  scenarios  are  presented:  (1) 
indoor-to-outdoor  propagation  for  a  local  area  network  operating  in  a  two  story 
building,  and  (2)  a  wireless  point-to-point  link  on  an  airbase.  The  simulations 
illustrate  some  of  the  unique  propagation  conditions  that  occur  inside  of  buildings  and 
in  urban  areas.  This  research  has  identified  several  possible  system  weaknesses  and 
suggested  some  simple,  yet  effective,  methods  of  improving  security. 

Introduction 

A  variety  of  wireless  systems  are  used  in  both  the  eivilian  and  military  seetors.  Some 
reasons  for  ehoosing  wireless  loeal  area  networks  (WLANs)  and  point-to-point  (PTP) 
systems  over  hardwired  networks  are  their  real-time  information  availability, 
aehievable  high  bandwidths,  resilienee  to  failures,  and  simple  and  rapid  installation 
(Boerner,  1995;  Pahlavan,  1995). 

One  eoneern  in  deploying  systems  that  radiate  in  free  spaee  is  the  possibility  of  signals 
being  intereepted  by  unauthorized  users.  The  first  step  in  the  haeking  proeess  is  to 
gain  unauthorized  aeeess  to  network  traffie.  In  many  oases  this  is  most  easily 
aooomplished  by  interoepting  wireless  signals.  Authentioation  and  enoryption  provide 
data  seourity.  Complex  enoryption  teohniques  make  it  diffioult  for  the  average  person 
to  penetrate  the  system,  however,  the  algorithms  that  are  built  into  the  network 
software  have  been  defeated  by  knowledgeable  haokers  (Singhal,  2001;  Conjungi, 
2003).  Although  wireless  seourity  is  vastly  improved  sinoe  the  first  generation 
systems,  the  threats  oontinue  to  grow,  and  maintaining  seourity  is  a  oonstant  ohallenge 
(ITworld,  2004).  Predioting  and  subsequently  oontrolling  the  eleotromagnetio 
radiation  is  an  effeotive  means  of  seouring  the  network. 

In  the  ease  of  WLANs,  even  though  the  power  levels  involved  are  low,  a  person  in  a 
publio  lobby  or  just  outside  of  a  building  oould  oonoeivably  tap  into  a  system  in  a 
restrioted  area.  Even  for  PTP  systems  that  use  direotive  antennas,  the  antenna 
illumination  area  on  the  ground  (i.e.,  its  “footprint”)  inoreases  with  the  range  between 
two  network  nodes.  Additionally,  there  are  unique  propagation  eonditions  that  oeeur 
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inside  of  buildings  and  in  urban  areas  that  ean  enhanee  signal  deteetion  under  eertain 
eireumstanees.  Thus,  wireless  systems  are  vulnerable  to  uninvited  intruders  who  eould 
eolleet  sensitive  information  or  possibly  even  disrupt  the  eomputer  network  by 
injeeting  deeeptive  signals. 

Eleetromagnetie  wave  propagation  modeling  in  indoor  and  urban  environments  is 
diffieult  beeause  of  the  interaetions  between  a  large  number  of  seattering  objeets  sueh 
as  walls  and  furniture.  Modern  buildings  and  furnishings  use  many  materials  that 
affeet  propagation  by  attenuation,  refleetion,  and  diffraetion.  Building  walls,  floors, 
landseapes,  and  even  passing  ears  affeet  the  manner  in  whieh  these  signals  propagate. 
The  underlying  eleetromagnetie  theory  is  well  understood  (Balanis,  1989;  Molkdar, 
1991),  and  aeeurate  propagation  simulations  are  aehievable  with  suffieient 
eomputational  resourees  (i.e.,  eomputer  proeessing  time  and  memory)  and  high-fidelity 
building  models.  It  is  often  the  laek  of  knowledge  of  the  materials  enelosed  in  a 
building  wall  that  limits  the  aeeuraey  of  a  simulation,  rather  than  any  shorteoming  in 
the  eleetromagnetie  analysis. 


Overview 

This  paper  examines  the  vulnerability  of  WLAN  and  FTP  systems  to  intereeption,  and 
provides  some  simple  steps  that  ean  be  taken  to  improve  seeurity.  A  eommereially 
available  eomputational  eleetromagneties  (CEM)  software  paekage  was  used  to  prediet 
signal  levels  in  eomplex  indoor  and  urban  environments.  The  simulations  assume  that 
the  WLAN  aeeess  point  or  one  of  the  FTP  nodes  is  transmitting.  The  simulation 
outputs  are  eontours  of  power  levels  on  a  grid  of  observation  points  that  ean  be  used  to 
prediet  the  radiated  power  distribution  of  the  network.  Given  the  speeifieation  of  an 
intereept  reeeiver,  it  is  possible  to  eonvert  the  power  eontours  to  deteetion  ranges. 

Two  basie  seenarios  are  presented,  whieh  represent  a  small  fraetion  of  the  many  eases 
simulated  in  the  eourse  of  the  researeh  (Sumagaysay,  2002;  Lim,  2003).  The  first  is 
WLAN  indoor-to-outdoor  propagation  for  a  two-story  building  that  might  be  oeeupied 
by  a  small  business.  The  seeond  is  a  wireless  FTP  link  on  an  airbase  that  is  used  to 
transmit  targeting  data  to  a  hangar  where  it  is  then  disseminated  through  a  loeal 
WLAN  to  the  various  aireraft  being  housed.  These  eases  were  seleeted  beeause  they 
illustrate  some  of  the  unique  propagation  effeets  that  ean  oecur  in  urban  areas. 


Propagation  Modeling 

Radio  wave  propagation  in  urban  areas  is  eomplieated,  but  it  is  traditionally  attributed 
to  three  basie  meehanisms:  (1)  refleetion,  (2)  diffraetion,  and  (3)  seattering  (Anderson, 
et  al  1995).  As  a  result  of  these  propagation  meehanisms,  the  reeeived  signal  strength 
from  an  aeeess  point  ean  be  roughly  eharaeterized  by  three  nearly  independent 
phenomena  of  large-seale  path  loss,  large-seale  shadowing,  and  multi-path  fading. 
Network  links  in  urban  environments  are  subjeeted  to  severe  degradation  due  to  the 
superposition  of  many  eontributions  to  the  three  eomponents. 


Lor  a  narrow  band  wireless  system  operating  at  frequeney/  the 
from  an  aeeess  point  transmitting  a  power  P^  with  antenna  gain 
by  the  Lriis  equation  (Balanis,  1997) 


|A| 


reeeived  power  P^. 
at  range  R  is  given 


(1) 
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The  wavelength  is  A-d f  where  c  =  3xl0*  m/s  is  the  phase  veloeity  in  free  spaee. 
For  a  WLAN,  the  user’s  antenna  gain  is  assumed  to  be  isotropie  (omni-direetional), 
=  1 .  The  miseellaneous  loss  and  proeessing  gain  faetors,  L  and  Gp ,  respeetively, 

are  system  dependent.  The  path-gain  faetor  (PGF)  F  gives  the  total  signal  (eleetrie 
field  intensity)  at  the  user’s  loeation  relative  to  the  direet  free-spaee  signal.  The  PPF  is 
eomputed  by  the  software  using  the  given  geometry  and  media  eleetrical  parameters. 

Beeause  the  refleeting  and  diffraeting  objeets  are  large  eompared  to  the  wavelength, 
high-frequeney  ray-traeing  approximations  ean  be  applied,  as  illustrated  in  Figure  1 
(Deschamps,  1972).  In  addition  to  the  direct  path  signal,  for  ray-based  propagation 
modeling,  the  contributors  to  the  total  electric  field  intensity  are  the  many  reflected  and 
diffracted  signals  that  occur  in  the  environment.  They  arise  from  the  ground  and 
foliage,  or  buildings  and  other  manmade  objects  on  the  ground  or  in  the  air.  At  a  given 
an  observation  point  in  space,  the  total  field  will  be  the  sum  of  all  of  the  direct, 
reflected,  and  diffracted  fields  arriving  at  that  point. 


Figure  1:  Illustration  of  some  possible  ray  paths  for  the  simple  ease  of  a  glass  slab  and  metal  wall 

(top  view). 

Formulas  are  available  for  the  reflected  and  diffracted  fields  based  on  geometrical 
optics  (GO)  and  the  geometrical  theory  of  diffraction  (GTD)  (Balanis,  1989).  They 
incorporate  coefficients  that  linearly  relate  the  reflected  and  diffracted  fields  to  the 
incident  fields  at  the  reflection  and  diffraction  points,  respectively.  In  the  case  of 
reflection,  the  traditional  Fresnel  coefficients  for  planar  boundaries  can  be  used 
(Balanis,  1989).  Specular  (mirror-like)  reflections  must  satisfy  Snell’s  law:  the  angle 
of  reflection  equals  the  angle  of  incidence.  Edge-diffracted  fields  also  follow  known 
trajectories;  they  lie  on  a  cone  whose  axis  is  coincident  with  the  diffracting  edge  and 
half  angle  is  determined  by  the  angle  of  the  incident  ray  with  the  edge  (Keller  1962). 
The  formulas  for  the  reflection  and  diffraction  coefficients  depend  on  the  electrical 
properties  of  the  materials.  The  materials  are  defined  by  their  relative  permittivity, 
relative  permeability,  and  surface  resistivity  (Balanis,  1989).  Combinations  of  these 
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parameters  can  be  used  to  achieve  the  electrical  characteristics  of  any  building 
material. 

While  there  are  several  engineering  tools  to  predict  antenna  radiation  and  wave 
propagation,  Urbana  (SAIC  1999)  was  selected  for  this  research.  It  was  selected 
because  of  its  pre-  and  post-processing  capabilities,  as  well  as  having  been  extensively 
validated  (Andersh,  et  al  ,1996).  The  propagation  model  is  a  three-dimensional  ray¬ 
tracing  process  that  in  principle  predicts  the  local  mean  power  received  at  any  given 
point.  For  each  observation  point,  reflection  and  diffraction  points  on  all  surfaces  are 
determined,  the  ray  paths  between  the  transmitter  and  receiver  are  traced,  and  then  the 
vector  sum  of  multi-path  signals  computed.  The  observation  points  are  at  the  centers 
of  user-defined  cells.  The  model  includes  the  effects  of  wave  polarization  and  antenna 
patterns. 

The  number  of  reflected  and  diffracted  rays  needed  for  a  converged  solution  must  be 
determined  from  the  minimum  signal  level  that  is  to  be  reliably  computed,  and  in  an 
urban  environment  this  is  difficult  to  predict  in  advance.  Convergence  is  established 
by  increasing  the  number  of  ray  contributions  until  the  computed  result  has  stabilized. 

Indoor-To-Outdoor  Propagation 

Figure  2  shows  a  model  of  a  two-story  building  that  might  be  occupied  by  a  small 
business.  The  building  footprint  is  a  square  that  is  40  feet  (12.12  m)  on  a  side.  The 
building  walls  are  a  metal  composite,  and  standard  glass  windows  are  used.  A  WLAN 
access  point  antenna  was  considered  to  be  transmitting.  The  signal  levels  were 
calculated  at  points  inside  and  outside  of  the  building.  The  observation  cell  size  is  a 
square  with  edge  lengths  of  1  ft  (30.48  cm).  Therefore  the  “pixel”  size  for  the 
resulting  contour  image  is  1  ft  by  1  ft  (30.48  by  30.48  cm).  Since  this  is  much  greater 
than  the  wavelength  of  the  frequencies  under  consideration  (A  =  0.125  m  at  2.54  GHz), 
the  field  strength  at  other  points  in  the  cell  will  fluctuate  about  the  center  value. 
Small-scale  variations  in  the  field  are  not  captured,  but  large-scale  path  loss  and 
shadowing  is.  More  resolution  can  be  achieved  at  the  expense  of  increased 
computation  time. 


Figure  2:  Computer  model  of  a  two-story  office  building. 


The  receiver  sensitivity  is  the  minimum  power  required  for  maintaining  the  link. 
WLAN  sensitivities  range  from  -94  dBm  for  1  Mbps  to  -85  dBm  for  1 1  Mbps  (Cisco, 
2002),  where  dBm  is  a  decibel  relative  to  a  milliwatt  reference  (Balanis,  1997) 
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P  in  dBm  =  10 logjo  [-P  in  milliwatts] .  (2) 

Figure  3  shows  the  signal  distribution  for  a  transmitter  power  of  100  milliwatts.  The 
solid  and  dashed  lines  represent  exterior  and  interior  wall  loeations,  respeetively.  The 
aeeess  point  antenna  is  on  the  first  floor,  at  x  =  y  =  50  inehes  (denoted  by  the  loeation 
of  the  “o”  in  the  figure).  Strong  signals  passing  through  the  windows  are  evident. 
Although  the  strongest  signals  are  eonfined  to  the  interior  of  the  building,  signifieant 
levels  are  transmitted  through  the  walls  and  windows.  Roughly  speaking,  no 
interception  would  be  possible  in  the  dark  areas  using  standard  network  receivers. 
Note  that  at  the  lowest  data  rate,  interception  is  possible  over  most  of  the 
computational  grid  of  1800  inches  (150  feet  =  45.45  m)  on  a  side.  Sophisticated 
intercept  receivers  can  be  designed  with  much  lower  receiver  sensitivities. 

For  the  data  in  Figure  4  the  standard  glass  windows  are  replaced  by  tinted  glass.  There 
has  been  a  significant  reduction  in  the  power  outside  of  the  building.  A  further 
reduction  in  the  signal  level  outside  can  be  achieved  by  moving  the  transmit  antenna  to 
the  second  floor,  as  evident  in  Figure  5. 


Figure  3:  Power  levels  for  a  building  with  metal  composite  walls  and  standard  glass  windows.  Units 

are  decibels  relative  to  a  milliwatt  (dBm). 
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X.  inches 


Figure  4:  Outside  power  levels  are  reduced  using  tinted  glass,  which  reflects  signals 

back  into  the  building. 


X,  inches 

Figure  5:  Outside  power  levels  are  reduced  further  after  moving  the  access  point  antenna 

to  the  second  floor. 


Military  Airbase. 

In  the  near  future,  aireraft  pre-launehed  eodes,  ineluding  weapons  stores  data, 
waypoints  coordinates  and  other  mission  critical  data  will  be  transmitted  via  a  wireless 
link  to  the  hangar  where  it  is  then  disseminated  through  a  local  WLAN  to  the  various 
aircraft.  The  aircraft,  upon  successfully  receiving  the  codes  and  uploading  them  to 
their  respective  mission  computers,  will  then  transmit  back  an  acknowledgement 
signal.  Security  measures  are  in  place  throughout  the  airbase,  including  patrols  around 
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the  perimeter,  except  perhaps  a  limited  number  of  office  buildings  that  are  open  to 
contractors  and  visitors.  The  objective  of  this  scenario  is  to  determine  if  there  are 
possible  security  weaknesses  that  could  arise.  In  particular,  are  there  areas  inside  of  the 
public  buildings  where  sufficient  signal  strength  exists  so  that  interception  is  possible? 

Figure  6  shows  the  airbase  model  with  a  point-to-point  link  between  the  control  tower 
and  aircraft  hanger.  The  buildings  are  comprised  of  glass  and  concrete.  FTP  networks 
use  high  gain  antennas  with  relatively  narrow  beam  widths  compared  to  those  of 
WLAN  access  point  antennas.  Figure  7  shows  the  signal  levels  at  two  heights  for  a 
vertically  polarized  antenna  with  a  15-degree  half  power  beam  width  (HPBW),  when 
transmitting  30  dBm.  At  the  higher  observation  level,  the  fine  structure  of  the  antenna 
sidelobes  is  evident.  In  the  airbase  model,  the  heights  of  the  transmitting  and  receiving 
antennas  are  not  the  same.  In  order  to  point  the  main  beam  of  the  two  antennas 
directly  at  each  other,  they  have  to  be  rotated.  A  downward  pointing  of  the  antenna 
results  in  more  sidelobe  peaks  intercepting  the  ground  plane.  The  peaks  lead  to 
localized  areas  of  high  signal  strength,  or  so-called  “hotspots.” 

Figure  8  shows  the  signal  contours  at  a  height  of  2  meters  above  the  ground  when  the 
antenna  at  the  hanger  is  transmitting  and  pointed  directly  at  the  tower.  Figure  9  shows 
the  contours  that  result  when  the  antenna  at  on  the  control  tower  is  transmitting.  In  the 
second  case,  it  was  observed  that  there  was  a  hotspot,  as  indicated  in  Figure  9,  with  a 
level  near  30  dBm.  This  is  due  to  the  orientation  of  the  cluster  of  the  buildings,  which 
were  closer  to  the  control  tower  than  to  the  aircraft  hangar.  The  junctions  of  two 
vertical  building  walls  along  with  the  ground  serve  as  an  effective  “comer  reflector” 
that  can  focus  the  signal  at  a  limited  number  of  nearby  points.  This  presents  a  potential 
opportunity  for  covert  entities  to  hack  into  the  system.  It  is  interesting  to  note  that  the 
hotspots  caused  by  local  features  in  the  geometry  (e.g.,  a  comer  reflector)  are  not 
reciprocal  in  the  sense  that  they  may  be  present  when  transmitting  from  control  tower 
to  the  hangar,  but  not  when  transmitting  from  the  hangar  to  the  control  tower. 


HANGER  (60  m) 


AIRCRAFT 


Figure  6:  Airbase  model  with  a  point-to-point  link  between  a  control  tower  and  aircraft  hanger. 

Building  edges  are  highlighted. 
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Figure  7:  The  antenna  radiation  at  observation  points  on  the  ground  (z  =  0)  and  at  z 

ground.  The  antenna  height  is  z  =  16  m. 
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Figure  8:  Signal  contours  2  m  above  the  ground  when  transmitting  from  the  hanger  to  the  control  tower. 
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Figure  9:  Signal  contours  2  m  above  the  ground  when  transmitting  from  the  control  tower  to  the  hanger. 

Guidelines  and  Recommendations 

Wireless  systems  ean  have  surprisingly  large  deteetion  ranges  when  they  transmit  at 
their  highest  power  level.  This  research  has  demonstrated  that  some  simple  steps  can 
be  taken  to  reduce  the  detection  range.  For  WLANs  they  include: 

1 .  Locating  access  points  in  the  most  interior  building  spaces 

2.  Closing  all  exterior  doors  and  windows 

3.  Using  metal  blinds  or  tinting  on  exterior  windows 

4.  Using  directive  or  sectored  access  point  antennas  to  confine  the  direction  of  strong 
radiation 

5.  Using  the  lowest  possible  power  settings 

6.  Signal  containment  is  most  efficient  for  buildings  with  metal  exterior  walls  as 
compared  to  those  with  wood  walls 

The  findings  also  indicate  that  there  are  numerous  vulnerabilities  associated  with 
wireless  FTP  communication  systems  that  may  not  be  apparent  by  physical 
examination  of  the  building  layouts.  The  simulation  results  have  shown  that  sporadic 
hotspots  may  appear  due  to  the  building  geometry,  particularly  near  the  ground  in  the 
vicinity  of  comers. 

There  is  a  widely  held  misconception  that  FTP  wireless  systems  are  not  susceptible 
because  they  use  narrow  beam  antennas.  Furthermore,  the  antennas  are  generally 
located  on  building  rooftops,  which  makes  it  difficult  for  intercept  receivers  to  position 
themselves  directly  in  the  antenna’s  field  of  view.  Flowever,  this  research  has 
demonstrated  that  adequate  signal  strength  for  interception  most  likely  exists  well 
outside  of  the  antenna  main  beam.  Some  simple  precautions  that  can  be  taken  to 
reduce  the  detection  range  of  a  FTP  system  include: 

1 .  Performing  a  high  fidelity  EM  simulation  of  the  proposed  wireless  path  to  identify 


hotspots 
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2.  Properly  selecting  the  user’s  receiver  sensitivity  so  that  the  minimum  power  level 
can  be  transmitted  (this  technique  is  known  as  power  management) 

3.  Stepping  up  physical  security  in  the  regions  where  the  signal  is  strong  enough  for 
interception 

4.  Implementation  of  more  advanced  software  encryption  techniques 

5.  Incorporating  low  probability  of  intercept  methods  in  the  waveform  design,  e.g., 
frequency  hopping  (Couch  1995) 

Conclusions 

The  fact  that  a  WLAN  is  contained  inside  of  a  closed  building,  or  PTP  antennas  are  in 
a  restricted  area,  may  lead  to  a  false  sense  of  security.  Many  small  businesses  use 
these  networks,  yet  their  system  administrators  are  not  aware  of  the  susceptibility  of 
the  systems  to  interception,  or  feel  that  they  do  not  have  the  resources  to  tighten 
security.  This  research  has  identified  several  possible  system  weaknesses  and 
suggested  some  simple,  yet  effective,  methods  of  improving  security. 
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